Re: [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] Uptick in successful account attacks Fri 3/19/21

[Ron Lee <rlee () ORU EDU>]

We began observing activity from Malaysia beginning on Saturday.  All current or former Nursing students.  Most of 
these email addresses were not part of any known data disclosures.

Ron Lee
Information Security Manager
Oral Roberts University
(918) 495-6482



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Theodore J. August
Sent: Friday, March 19, 2021 5:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] Uptick in successful account attacks Fri 
3/19/21


CAUTION: THIS EMAIL ORIGINATED FROM OUTSIDE OF ORU
I cross referenced our Chegg list and most of the students were not on it.  In fact most of the students in question 
weren't on any breach lists that we have access to at the moment.

After reaching out to our Nursing Dept faculty, they provided us a number of sites/services they have students sign up 
for with their University provided e-mail address that aren't on SSO/SAML/LDAP authentication.  Three of services are 
owned by Elsevier, which had a breach in 2019, but hasn't "leaked" yet.  No hard evidence to support this at this time 
- just circumstantial, but that could be the cause.

Best,

-
Ted August
Assistant Director of Cybersecurity and Compliance
Office of Information Technology
Salve Regina University



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Scantlin, Aaron J. <ScantlinA () MISSOURI EDU<mailto:ScantlinA () MISSOURI EDU>>
Date: Friday, March 19, 2021 at 1:54 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [EXTERNAL] Re: [SECURITY] [EXTERNAL] Re: [SECURITY] Uptick in successful account attacks Fri 3/19/21
Spot checking some of the accounts, it looks like the common thread over here is that they were all implicated in the 
Chegg breach... sigh I wonder how many years we'll see folks re-use passwords from that service...

-Aaron

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of "Theodore J. August" <theodore.august () SALVE EDU<mailto:theodore.august () SALVE EDU>>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>>
Date: Friday, March 19, 2021 at 11:49 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] [EXTERNAL] Re: [SECURITY] Uptick in successful account attacks Fri 3/19/21

WARNING: This message has originated from an External Source. This may be a phishing expedition that can result in 
unauthorized access to our IT System. Please use proper judgment and caution when opening attachments, clicking links, 
or responding to this email.
Thanks Aaron for replying back.

For those here on the list - all the accounts we investigated today did have something in common - they were all 
current or former nursing students.  We are going to follow up with our nursing program here to see what services 
students may be registering with their university credentials to see if we can narrow down a site or service where an 
unannounced breach may have occurred.

Best,

-
Ted August
Assistant Director of Cybersecurity and Compliance
Office of Information Technology
Salve Regina University



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Scantlin, Aaron J. <ScantlinA () MISSOURI EDU<mailto:ScantlinA () MISSOURI EDU>>
Date: Friday, March 19, 2021 at 11:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [EXTERNAL] Re: [SECURITY] Uptick in successful account attacks Fri 3/19/21
We had a rash of compromises overnight as well.

Aaron J. Scantlin
Security Analyst
GCFA, GNFA
University of Missouri System
(573) 884 - 7555
scantlina () umsystem edu<mailto:scantlina () umsystem edu>


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of "Theodore J. August" <theodore.august () SALVE EDU<mailto:theodore.august () SALVE EDU>>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>>
Date: Friday, March 19, 2021 at 10:20 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Uptick in successful account attacks Fri 3/19/21

WARNING: This message has originated from an External Source. This may be a phishing expedition that can result in 
unauthorized access to our IT System. Please use proper judgment and caution when opening attachments, clicking links, 
or responding to this email.
Just a quick note to the community to see if anyone else is seeing an uptick in successful account attacks today?  Our 
numbers are anomalously high over the last 12 hours or so.

Best,

-
Ted August
Assistant Director of Cybersecurity and Compliance
Office of Information Technology
Salve Regina University



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctheodore.august%40SALVE.EDU%7Cac7ce089b7404040003808d8eafffe91%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C1%7C637517732500797898%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=VbEmYAUq5Eb9tfC%2Fdb%2F94dQ%2BHsWAtTElxzy2VMo6gNM%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctheodore.august%40SALVE.EDU%7Cac7ce089b7404040003808d8eafffe91%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C1%7C637517732500807851%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=T7GgVhWnLMw61cQLTP3j5tTXP%2F6VKhnPpURpQHuRC%2Fs%3D&reserved=0>

*** This message was not sent from a Salve Regina University e-mail address. Please exercise caution when responding, 
clicking on links or opening attachments. ***

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctheodore.august%40SALVE.EDU%7Cac7ce089b7404040003808d8eafffe91%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C1%7C637517732500807851%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=T7GgVhWnLMw61cQLTP3j5tTXP%2F6VKhnPpURpQHuRC%2Fs%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctheodore.august%40SALVE.EDU%7Cac7ce089b7404040003808d8eafffe91%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C1%7C637517732500817805%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=uRn%2FyO2qlo4hON8QlppE1GAlIGEdmQLCWIYm226mnzc%3D&reserved=0>

*** This message was not sent from a Salve Regina University e-mail address. Please exercise caution when responding, 
clicking on links or opening attachments. ***

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,Uo7LQjQa8q_MPKMvTZJElPUbuvuMf1S4XREwe-C5bBOX1QAxQc94j3ZXPH_vPdfX7cHzTm6sQM2QM1l5jiZo-9S-zb9trB8-OeMK1kx6tAEc0ChsMQ,,&typo=1>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community